SecuriTricks - Attack Report

External References

Description

In June 2024, eSentire's Threat Response Unit observed several incidents involving users downloading the ScreenConnect remote access client, potentially facilitated through drive-by downloads. Threat actors exploited ScreenConnect to establish unauthorized remote sessions, ultimately deploying the AsyncRAT trojan. The malicious scripts executed exhibited techniques like delaying tactics and conditional execution to evade detection by security software.

Date

Published	Created	Modified
July 5, 2024, 2:48 p.m.	July 5, 2024, 2:48 p.m.	July 5, 2024, 4:20 p.m.

Indicators

fd0d3c38d2bbb517a8e74d8879b73ba57a3832a450abbe826803ceef5726a14a

f6e41c3092c5e1167d95330a2a482f695598c31ad79963c59b07ab79dbfb87f7

fa55401d78f8eabf5dff1b903a9f072b8324851286f67c0aca5b3af931bb4877

fb5aac98c73fa13b244d763b495701ab2eb44815dbd0019531fe081536ef9b9a

f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb

f42c7da665f73fdf6e86f1ebf1054af265541f534912599d27b6dc671e9c8375

ea28712cd43fbad5b018a6d19594a5b8a6770965a0221c19f1fb8ebf459d2b31

e5d37c781676a67bacc070088dd8d14f70bf74827c3d788eb9602884c38b7c19

e597fd01bd50700473316d7bcbfe0f6b43d10842d45eb8598bd35438831ae897

e535a00f01748954152e16a28ac1dabeb056d097f4e98aa59f07b9a6f0e9434e

e522531d2cd8fca257452945e0c00a1a04a2d132cef848aef41a1a2e1ef2d8b4

e3ad352e1c9a3a1842c17262d626bb95f9ec3b199cacd4a8011e954a1473843f

e0df0ad47456b7d8a0c34645a7c9990e99ff6fe5d0c96ca55a406b34d5ae91a4

df2e7c2aabe2f6889589aef8f6e8c604207aff07f121f9e6d82a309f1cfd3079

d9c038ec71396e395fbd88b384e3335f3afb94bdf2371fb0713bfe963f342185

d38bbb755ba411e2457833b700e4d3fe4d19acf03feb8f59ac29f804b8a2e938

ce87ff0b32de840a2499d82260bdc83805ce24b9373e190314e5639b0dd034b3

c30702ce7c9931b5a9525a2fef0018ad9a4b314668b72339a4914b0f1783ce9e

b96bd9decf14957fcb03ff4ad753735d00164da2d02ff694607c643531b626cd

b4e71358c183707b27361219af2146f7b72042f56cec7ed8f917795a76b2296f

b31c484cabd6030c919fe519a7697736485f0004c79dbd081c9fb236fc18503f

af962298ee5c9fb41cf82d00dc919bfd6e514bd6aca71ae4d674b259eee0fc7c

abc884a816b3c414ff9d15c1152cf5e5c2d3e670ee6dcee3d052d08056f3ac74

a4e2bbb403f5bcf7709456d412716323022039b87a79c4fe1f8c726269ca236d

ab6979ed8daf3875cda868be8c794035567920f980d491b647efcc922e6375b7

a0cdda26ad1452391df07f904ca5784345b2199308664cf613b09c6f1e24af17

9ae6bea13bbe186dde5a380c94d309c56aba8c055b0f540eadf9c988b914b729

9e7c5a22db466c5c093d9eb91b79fa0c17f4491667aac585b7b8d60a5b0976a0

98f219e6becd0f0501256146bd7bfc6d2f0ce28003c048c821fcb7501686ee38

9243236bd249560e2a626171fe17771656d02418efa6b6ac3c3823c6c747e6a8

95692e64e52f38f3285fc1a071691551aa14d01e4c5867a4c34b60e003d0da61

8ab5db97785ca6fe0213e779b4a3960712bf9202dcfe4ab6ce0add5a2531d862

7ccab1d1207272966907184d73c655a0035451f9bc7f4d602e069312ac819244

717c083156d07b631e42e3d9f4d175c59d206f7b3b04add1f761b43fbdf41cee

784b8907059b57709fbcfc8e4a97d914a181a8d6f955202ce4815abeac85f033

6f1905e804200c694582758c63244fd966e807eeee443bd0d40bebd5072045a5

6bfea924734c7ccdf2822729d72d78a5174011768de0cd2576643e99832f8452

6ed34a18930c558f946a17f2d0de649413b7441c96458b762ea588d185df797c

6a6226eb265a361098bb8fc947448f831ee9549a84208033045e2cbdc3b0ba34

62d76b7498756fcbc87629cb0fa001e8e1272883e434054a5356901ac2699aec

6513878c1be24fe2f041008a51754071fa90fd48fd9de65290a6d01fdcd7efa6

5f27802fabf7e1921c04359bfa48cfc96c18514d3f7a32a39fc80566e2e18008

5eb2ebe9104e6ef814851ccfb6493408a3f02fa7b2a0d06da4e7b678f1f93833

5d45100f7f80903ea2031dbd4c546bee6c12a8a98d6f27ac5d741a8886c81b83

5aed97c59a0286107312dab7982983d4bf638eb1a999ac86c1056114fd4f12e0

597a55ac25fc4ca4d5fcba33bbd88f3b1fc47ace41e89daf394f76b0841d0979

59dea613bbff003ad139da01c6243f3d8f6cd31f09c192b38c8beb0c6ade8acc

579daf4b58d3f1b9903dad053ccdbbf05f445cb70339996ce90f477958035e68

568be120305376a9b9d9dfaacccdaf8788883b5c544a330294d4671c57796f6d

55b588463e9af8c4e4d2dbbe608f6e47e8987a2c32b5aa69c6a19ddc3fc25a4c

533ffd45167d8029a62cd54986bbf933199676dc731898083f1287f8fe65451a

526abb1dd44dad419d000482a5f92cfc4d290673aa8dc7c60ca2017a4fb5de88

50450ca18d815947ba511ba18d18261c6206254891b25734824caa68a602c4d0

47bc65e3d83d26b419535d9ecd9c14ea2a66554eca0222b30356105abcd62ed0

3f43b6029cb0c42b95c9205356746ce72db43ed82163f6b176a6f280b2eae98b

3d3f9a8fdc25492e1f797d7ea40c0afdef8aafb65c3d7248d3d76f4817fb66d4

32ccda7747cd105f270caee6494a453b4a6614f332f5c23193d8ad8fcb9ed939

3285c76f50ce1bd5985e3201a7e85695bd94fc595fc3da70b71f7d87fc4f69c2

31a81bddfce4cf7cc065e451c9445372a55854dffca0fc520ae81f9bfa4f22a0

2e370ce4d05ab6154489ba3a9ed75e7a6890c5b5b7974a687f928683a5bda221

2da256191573d99e7c36606c6748ea84d8665cc2f8000bd0d2fadbd66ab3004a

2ac4277b12a5091ff5e041989d932cff2b0b69a1d31a7de6d74984d5fd725641

279241ff7fd78e4152b35cd2f1e673994e7b2a02ded4edd31ef152f95d9bc969

249edf69d999163b1dbc9923ff2c8a5903757ffc9b027461f03047b171afe1d1

236c5323d8aeb74d97f0bd5d54d8c774d07ff26f6befbc7f155b5349d0ba604a

22ccc6e138ff12b9c7738caf64c25bdf00b478b1b2e523daf25be3fca196f984

1c31231b53b0baa178c93c26bec5039237329e9f814b61954a475d6052528c43

0294ac2898d8db407f961eed90af5f63f074f7c37c5f803b707b56b81740a4b6

8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

36.75.75.75

138.112.25.25

123.181.24.36

1.13.16.45

71.162.181.51

Attack Patterns

AsyncRAT

T1053.005

T1490

T1059.005

T1027.002

T1204.001

T1059.003

T1059.001

T1027.005

T1059.007

T1059.004

T1204.002

T1055

T1219

T1204

T1027

T1053

T1562

T1090

T1059

Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT Deployment

Tags

External References

Description

Date

Indicators

Attack Patterns